go-conventionslisted

## Default Stack If the repo doesn't define its own tooling, use: - **Go** — latest stable minor (`1.25.x` floor). Pin with `toolchain go1.25.X` in `go.mod`, set `GOTOOLCHAIN=local` in CI so the declared toolchain is used verbatim. - **`go mod vendor`** — vendor deps committed to repo. Enables reproducible + airgapped builds; CI runs `go build -mod=vendor`. - **GitHub Actions** — CI/CD. Pin every action by commit SHA, not tag. - **golangci-lint v2** — linting. Strict preset (see below). Run via `golangci-lint run -c .golangci.yml`. - **gofmt + goimports** — formatting. `goimports` is enabled as a `formatter` in `.golangci.yml`. - **gosec** — security static analysis. Runs in CI (SARIF upload to GitHub code scanning). - **semgrep** — additional SAST with `r/default r/go r/dgryski r/trailofbits` rulesets. - **govulncheck** — official Go vulnerability database scan. Preferred over Nancy (no external account). - **CodeQL** — GitHub's SAST for Go. - **modernize** — `golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize` checks for outdated idioms. ## Build Discipline - **CGo policy.** Default `CGO_ENABLED=0` for pure-Go packages. Enable only when a specific package needs it; tag those files with `//go:build cgo` so pure-Go builds still work. - **Build tags for runtime variants.** Use explicit tags (e.g. `//go:build tdx`, `//go:build sevsnp`) when the same binary has multiple platform-specific implementations. Exactly one implementation per build. - **Reproducible